CVE-2025-15599

MEDIUM 6.1

DOMPurify XSS via Textarea Rawtext Bypass in SAFE_FOR_XML

CVSS Score

6.1

EPSS Score

0.0%

EPSS Percentile

0th

DOMPurify 3.1.3 through 3.2.6 and 2.5.3 through 2.5.8 contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting missing textarea rawtext element validation in the SAFE_FOR_XML regex. Attackers can include closing rawtext tags like </textarea> in attribute values to break out of rawtext contexts and execute JavaScript when sanitized output is placed inside rawtext elements. The 3.x branch was fixed in 3.2.7; the 2.x branch was never patched.

CWE	CWE-79
Vendor	cure53
Product	dompurify
Published	Mar 3, 2026
Last Updated	Mar 3, 2026

Stay Ahead of the Next One

Get instant alerts for cure53 dompurify

Be the first to know when new medium vulnerabilities affecting cure53 dompurify are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Affected Versions

cure53 / DOMPurify

3.1.3 ≤ 3.2.6 2.5.3 ≤ 2.5.8

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/cure53/DOMPurify github.com: https://github.com/cure53/DOMPurify/commit/c861f5a83fb8d90800f1680f855fee551161ac2b vulncheck.com: https://www.vulncheck.com/advisories/dompurify-xss-via-textarea-rawtext-bypass-in-safe-for-xml

Credits

Scott Moore - VulnCheck